Anatomy of a Linux backdoor attack
Through the Back Door

© Photo by David Szweduik on Unsplash
Cybercriminals are increasingly discovering Linux and adapting malware previously designed for Windows systems. We take you inside the Linux version of a famous Windows ransomware tool.
Since the beginning of the year, security researchers from Check Point Research (CPR) have been investigating the activities of a Chinese cyber espionage threat actor focused on Southeast Asia, Africa, and South America. The toolkit for this threat actor includes the DinodasRAT [1] cross-platform backdoor, also known as XDealer, which was previously observed in attacks by the Chinese group known as LuoYu.
This article provides technical analysis of the Linux version (v11) of DinodasRAT, aka Linodas. The Linux edition appears to be more sophisticated than the Windows version and has a range of features specially tailored to Linux servers. In addition, the version under investigation introduces a separate bypass module to hide traces of malware in the system. The execution of the system binary files is modified by proxies.
Dinodas Origins
Several clues indicate DinodasRAT was originally based on the SimpleRemote [2] open source project. SimpleRemote is a remote access tool based on the Windows remote access trojan Gh0st RAT [3], but it has some additional improvements. Similarities between SimpleRemote and an older version of DinodasRAT include the use of the same Zlib library (version 1.2.11) and some overlaps in the code (Figure 1).
[...]
Buy this article as PDF
(incl. VAT)